Offensive Security Has Value

The Newsletter

With organizations and companies continuing to experience breaches in their networks, there is a need for the cybersecurity industry to quickly adapt their strategies so that they are inspecting the entire chain of steps leading up to a breach as well as taking an attacker point-of-view into where vulnerabilities exist in their networks. The Cipher Brief sat down with Guy Bejerano, CEO and Co-Founder of SafeBreach, to discuss these trends emerging within the cybersecurity industry.

The Cipher Brief: What would you say are the most important trends in terms of cyber attack techniques? What appears to be motivating those threats?

Guy Bejerano: What we see most are some misconceptions about how organizations are actually looking at their defenses in the sense that a lot of security processes are really siloed—or considered in isolation. When we’re talking about exfiltration for example, a lot of security teams focus on the “last mile,” when in reality there are multiple points throughout the process of an attack where security measures can intervene before the data is actually withdrawn from their systems. The lack of ability by organizations today to understand the hierarchical chain of steps, or “the attack kill chain,” is the key element we see. It’s not a trend, but more of a status that the market has been in for a few years now.

The greatest value for customers is showing the steps of an attack and not just the one final step. If customers can relate to four out of six steps, and if they are good at preventing those four steps, they can actually break the kill chain. So changing the focus from a singular point of view or action—the siloed approach that only looks at either network, endpoint, or cloud security—to examining the all of them within the context of the step-by-step flow of the attack kill chain, is the most important trend today.

TCB: Why has there been a strong focus on the last mile? Why do people only seem to notice the last part instead of paying attention to the whole chain?

GB: The way that security products and the market are structured is such that each security vendor actually delivers a value in a different location of the attack chain. As a result, it’s challenging for security teams to gain visibility into the attack kill chain. Companies tend to focus on the “last mile,” because they believe if they can stop the data from getting out, they can stop the breach. But exfiltration is in fact the most challenging phase to lock down, because companies tend to be fairly open nowadays, with lots of open connections to the Internet.

TCB: In terms of targeting behavior, have you seen any industries that seem to be getting hit more often than others? Do you see any changes or trends in that area?

GB: Actually vice versa. We see very opportunistic attacks and breaches. We believe more breaches will occur across a variety of different verticals; it’s not just one vertical that is more sensitive or vulnerable to attacks, because everyone has some kind of asset that is of monetary interest for an attacker nowadays.

TCB: You also have experience with cyber war gaming as a way of helping to improve cyber security posture.

GB: Our product runs war game simulations; we simulate the attacker using very comprehensive breach methods that a real hacker would use. The concept is to enable organizations to run attack simulations in a safe way before a breach really happens. If you run these simulations, you have the advantage of time to mitigate any gaps before someone actually takes advantage of them.

TCB: Has anything really stuck out to you when people are engaging in these war games and red teaming their own systems?

GB: For each simulation we run with customers, there is always this “Aha” moment, where people realize they had a concept in their mind about how their security is operating, and then our simulated breach reveals the reality of their security. It opens their eyes to what their security posture actually looks like. We’ve found lots of assumptions proven wrong – a payment card industry (PCI) environment that security teams thought was totally secure, while we actually discovered multiple ways to take credit card data out. In a heavily segregated environment where security teams really felt that they had a strong security posture, we were able to point out ways to actually bypass controls. That kind of “Aha” moment is what we see a lot.

TCB: When you are working with these companies, is the weak point usually technical or more of a human element?

GB: I believe vulnerabilities stem from the human element just because even if it is a technical security issue, it was probably a security product that was misconfigured or was not set up correctly. It’s partly because of the overwhelming volume and complexity of point security products and the human challenge of ensuring they are all working as expected. Things are also dynamic, and so the automation benefits we bring are really key in helping an organization realize what gaps they have at any moment. Your risks change over time, and the ability to address dynamic environments is critical.

TCB: Looking forward, based off of what you have been seeing about organizational behavior and attacker behavior in the past, how do you think those two competing things—how organizations approach their own security and how attackers try to penetrate it—will change moving forward?

GB: The key will be adaptive security. Our ability is to bring a very dynamic, continuous mode of validating controls and changing the way organizations are looking at security. Today we look at security from a very static point of view, and we need a dynamic and adaptive approach in the future. Both sides—the attackers and defenders—will evolve their skillsets over time, and if companies can adapt fast and adjust to a new attacks and make sure that the controls in place are actually working, then they will have the upper hand.

It is really amazing to see how the market is changing towards the understanding that offensive security can actually bring you value. So understanding the attacker is real, validating your controls through an attacker’s scenario is key. It is great to see the market is evolving in that direction.

Guy Bejerano is a co-founder and the CEO of SafeBreach. The company's platform provides a hacker's view of an enterprise's security posture to proactively predict attacks, validate security controls and improve SOC analyst response. Prior to SafeBreach, Guy was CSO of LivePerson. Guy has more than 24 years of deep domain expertise in operational, application and network security, specializing in building security programs for global companies and cloud services, including the... Read More